A security vulnerability has been confirmed in Lycos's Search Engine (other engines are suspected to be vulnerable as well). The vulnerability allows malicious web site owners to cause JavaScript code (or any other HTML code) to get included in the search results displayed to the end user by Lycos.

Lycos Europe runs different technologies from Lycos Inc. for their search engine and are not affected by this problem.

It seems that the search engines do not correctly handle HTML code written as HTML encoded text in the indexed page.

Example:
Page contains: &lt;input&gt;
Engine returns: <input>

The encoded string will be returned to the user with > instead of &gt; and the users browser will create a input field (it handles it as correct HTML code).

Why is this dangerous?
A malicious user may create an interface embedded into the engines pages (if the search engine supports PHP this is even worse; a malicious web site can build up a shell) or start a redirect attack.

Example:
A user creates a page with thousands of hidden words on his page to surely be indexed and found easily (maybe sex and other often-queried words).

He will embed hidden code into his site (on top, this is always shown by default if no Meta description exists) like:

The engine will create HTML code and every time this site is access, the user will be spammed. The malicious user may insert new JavaScript or other code into the opened window and do whatever he wants to.